Important change to IP Source Guard ARP Inspection

2»

All Replies

  • Zyxel_Albert
    Zyxel_Albert Posts: 36  Zyxel Employee
    First Answer First Comment Friend Collector Third Anniversary
    edited August 2021
    My one last try. Based on your ACL solution, select 'discard the packet' for 'forwarding action' in the policy and keep the rest setting as you've done. It should block ARP packet between end device but forward to the GW. 
    Try to see if it meets what you needs.
  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 2021

    Yes it block ARP...but it blocks ARP try to go to the GW even if I allow ARP for the GW MAC I still need ARP to broadcast so this will ARP the VLAN which I don't want.

    I think the best option would be ARP isolation option in VLAN port settings

    heres what I need:

    ARP to the proxy ARP GW

    broadcast traffic between PC's like NetBIOS

    can't spoof GW ARP

    can't spoof local subnet ARP

    I can get 3 of the 4.

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 2021

    I think! I solved it!

    It turns out that IP Source Guard ARP Inspection does in fact check ARP when its a broadcast but not for Unicast ARP IF you only make a Classifer for ARP DestMac = ff:ff:ff:ff:ff:ff then do the Send the packet to the egress port and ARP Inspection scans it first! Then when Unicast ARP happens ARP Inspection scans that.

    Well it mostly works....So if ARP Inspection works on broadcast  with Send the packet to the egress port for ARP then why not Unicast ARP too me this seem more like a bug.

    So the way it works now is I have Classifer for ARP DestMac = ff:ff:ff:ff:ff:ff with  Send the packet to the egress port and ARP this allows  ARP Inspection to work and then the client sends Unicast ARP to the GW proxy ARP but this does not stop even with ARP Inspection working on Unicast ARP a client from sending a Unicast ARP with legit sender MAC/IP to target MAC/IP which bypasses the proxy ARP between clients...     

    the only way to solve that would be to make a Classifer ARP  DestMac block list per port so if you have 20 MAC's on 20 ports you have to do 400 Classifer rules! 

    BUG 

    Classifer for ARP DestMac = ff:ff:ff:ff:ff:ff with  Send the packet to the egress port ARP Inspection works

    Classifer for ARP with  Send the packet to the egress port ARP Inspection dose not work

    Well odd it was working with ARP Inspection and Classifer for ARP DestMac = ff:ff:ff:ff:ff:ff with  Send the packet to the egress port now its not SO guess I this need ARP isolation option 

  • Zyxel_Adam
    Zyxel_Adam Posts: 430  Zyxel Employee
    Zyxel Certified Network Administrator - Nebula 25 Answers First Comment Friend Collector
    Hi,

    Sorry for this late reply.
    As discussed in private message that we still insist on enabling ARP Inspection on switch is enough for you to against ARP spoofing for your scenario.

    If you have any other thought, please feel free to post your idea in idea section.
    We will have agent to investigate if your idea is resonable.

    Regards,

    Adam

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    As discussed in private message that we still insist on enabling ARP Inspection on switch is enough for you to against ARP spoofing for your scenario.

    But as said If I use IP source guard + ARP Inspection without proxy ARP then clients will connect to other clients at the switch level, with proxy ARP clients must go through the GW which you can firewall by from lan to lan rule on the GW.
  • Zyxel_Adam
    Zyxel_Adam Posts: 430  Zyxel Employee
    Zyxel Certified Network Administrator - Nebula 25 Answers First Comment Friend Collector
    @PeterUK

    As talked in private message, based on our understanding that since NetBIOS community is between PCs. Using ACL forwards PC's traffic to GW with Proxy ARP enabled may be conflicted in your scenario.

    Adam